Bringing order to the world of avatars

What are digital identities, and why do we need a Swiss edu-ID when we already have SWITCHaai?

Text: Christoph Graf, published on 11.10.2015

The virtual world is populated by digital identities. They contain personal details – such as names, addresses, roles and authorisations – known as attributes. Access usually requires a user name and a password. Users set up some identities themselves, whereas others are set up by an institution, particularly when the information and authorisations they contain have to be approved. One example of a digital identity is a SWITCHaai login at a university in Switzerland (see box).

Shared policies and interfaces

With SWITCHaai, the academic community solved the problem of managing a large number of identities for various resources a whole decade ago. It agreed to use shared policies and interfaces, referred to as identity federations, as well as the same basic identities. Cross-border access has even been possible for a number of years thanks to the eduGAIN interfederation service, which is being constantly expanded and is of crucial importance for researchers working internationally. SWITCH plays an active role here (see articles "No country can manage in isolation" and "The recipe for cutting-edge international research") SWITCHaai has been proving its worth for ten years, and eduGAIN is well on the way towards doing the same, so why should the Swiss universities need new digital identities? The answer is that SWITCHaai was created with institutions in mind, not users. This has resulted in a few annoying problems that the Swiss edu-ID is intended to solve:

Lack of persistence: When users leave an organisation, they lose their SWITCHaai login, meaning that they can no longer access any of the services they were previously using. This is extremely tiresome with regard to services that are tied to the individual and not dependent on membership of the organisation (see article "Less hassle, less effort").

Lack of user orientation: Users who change to a new organisation – or sometimes to a new role within the same organisation – have their old account deleted and receive a new one. They are no longer recognised by the services they used to use, and they no longer have access to their old working environment.

Problems with non-members: Only members of an organisation that participates in SWITCHaai can access the resources protected with it. When the organisation works with external users, its administrators must enter them separately or ensure that additional digital identities are supported.

Lack of flexibility on quality: Self-declared user attributes are sufficient for some applications, but others have stricter requirements. SWITCHaai only supports one level of quality.

Poor support of mobile environments and applications in the non-web space: SWITCHaai only supports web interfaces. There is no provision for others.

Users can enter their own basic data. Anyone who already has a SWITCHaai login can convert it into a Swiss edu-ID

The Swiss edu-ID is designed to work as follows:

Users can enter their own basic data. Anyone who already has a SWITCHaai login can convert it into a Swiss edu-ID (see article "Your folder for life"). The basic data are stored by the identity provider, which in this case is SWITCH. Attributes referenced therein, for example those relating to authorisations, are controlled by the individual institutions, which must verify them and make them available in the required quality.

IT administrators save a lot of time and effort

The institutions can access the basic data via compatible interfaces. This saves their IT administrators a lot of time and effort and also helps them to avoid unwanted duplication (see article "Less hassle, less effort").

The creation of the Swiss edu-ID is leading to a complex situation as regards data protection. Federal law and cantonal rules apply. SWITCH is working to clarify the legal aspects and take account of them in its development efforts (see article "Right to be forgotten and lifetime data retention").

The Swiss edu-ID will play a vital role for the academic community going forward. It is strongly favoured by swissuniversities in the context of its programme P-2 "Scientific information: access, processing and safeguarding" (see article "Empowering Swiss research"). The idea at the heart of P-2 is that certain services will be offered to universities on a centralised basis so that they do not need to expend resources on their own solutions. This simply cannot happen without a shared digital identity.

This article appeared in the SWITCH Journal October 2015.

About the author

Christoph Graf

Christoph Graf graduated in Electrical Engineering at the Federal Institute of Technology in Zurich in 1986. He joined SWITCH in 1991. After leaving to work at DANTE in Cambridge, he came back to SWITCH in 1998. He is now in charge of Supporting Operations.

SWITCHaai and Swiss edu-ID

AAI stands for Authentication and Authorisation Infrastructure. This infrastructure makes it easier to access online resources within the Swiss academic community. University members only need one digital identity. The SWITCHaai login they receive from their university is their passport to almost all the resources made available on the web by Swiss universities and related organisations. SWITCHaai has been in use since 2005. The Swiss edu-ID is based on the same principles.